Описание
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 2.02-2ubuntu8.16 |
| devel | not-affected | 2.06-2ubuntu18 |
| esm-infra-legacy/trusty | not-affected | 2.02~beta2-9ubuntu1.20 |
| esm-infra/bionic | not-affected | 2.02-2ubuntu8.16 |
| esm-infra/focal | not-affected | 2.04-1ubuntu26.1 |
| esm-infra/xenial | not-affected | 2.02~beta2-36ubuntu3.26 |
| focal | released | 2.04-1ubuntu26.1 |
| groovy | not-affected | 2.04-1ubuntu26.1 |
| hirsute | not-affected | 2.04-1ubuntu26.1 |
| jammy | not-affected | 2.06-2ubuntu7 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1.93.18 |
| devel | not-affected | 1.193 |
| eoan | ignored | end of life |
| esm-infra-legacy/trusty | not-affected | 1.34.22 |
| esm-infra/bionic | not-affected | 1.93.18 |
| esm-infra/focal | not-affected | 1.142.3 |
| esm-infra/xenial | not-affected | 1.66.26 |
| focal | released | 1.142.3 |
| groovy | not-affected | 1.147 |
| hirsute | not-affected | 1.147 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 2.04-1ubuntu47.4 |
| devel | not-affected | 2.06-2ubuntu17 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/bionic | needs-triage | |
| esm-infra/focal | not-affected | 2.04-1ubuntu47.4 |
| esm-infra/xenial | needed | |
| focal | released | 2.04-1ubuntu47.4 |
| jammy | not-affected | 2.06-2ubuntu7 |
| kinetic | not-affected | 2.06-2ubuntu12 |
| lunar | not-affected | 2.06-2ubuntu16 |
Показывать по
Ссылки на источники
EPSS
3.6 Low
CVSS2
5.7 Medium
CVSS3
Связанные уязвимости
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
There is an issue on grub2 before version 2.06 at function read_sectio ...
There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.
Уязвимость реализации функции read_section_as_string() загрузчика операционных систем Grub2, позволяющая нарушителю оказать влияние на целостность данных или вызвать отказ в обслуживании
EPSS
3.6 Low
CVSS2
5.7 Medium
CVSS3